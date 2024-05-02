7 min read
This article was made possible thanks to contributions from Aaron Gdanski.
IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.
The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored by the Cybersecurity and Infrastructure Security Agency’s (CISA) recent Cybersecurity Advisory on the group and the hundreds of victims Akira ransomware actors have claimed across multiple industries and geographies.
Akira threat actors employ a double extortion scheme involving both exfiltration of data and enterprise-wide encryption. Akira affiliates demand a ransom payment to prevent the group from publishing files on their onion site and receiving a decryption key to recover files affected. The group’s name appears to be allusive to the plot of a 1988 anime movie with the same name.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Akira ransomware actors have deployed two sites on the dark web—both are .onion locations mentioned in the ransom note left by Akira after each attack. The sites are stylized in a way that hearkens back to ARPANET in the early 1980s.
The first site includes general information about the ransomware group, advertises stolen records from the group’s victims, includes news about potential data releases and identifies ways to contact the group.
Figure 1: Akira ransomware .onion dark web name-and-shame site (Source: X-Force dark web research)
The second site is used for negotiations. To access this site, a user needs to input a password included in the ransom note as a unique identifier.
Figure 2: Akira ransomware .onion dark web negotiations portal (Source: X-Force dark web research)
After gaining access, the negotiation portal displays a message telling the victim that the Akira group is preparing a sample of stolen data from the victim organization. This process may be manual for the threat actor, based on the amount of time it appears to take. Once ready, the threat group will attach a file that includes a list of folders and files exfiltrated during the operation in an effort to prove to the victim that Akira actors stole authentic files before encryption occurred.
Figure 3: Akira support chat within dark web negotiations portal (Source: Lab539)
After CVE-2023-20269 was disclosed in early September 2023, Akira ransomware threat actors have capitalized widely on exploiting this vulnerability in the wild. CVE-2023-20269 affects virtual private network (VPN) features of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.
After initial access, the group employs a variety of tools and malware for reconnaissance, data exfiltration, lateral movement and specially crafted scripts to spread the ransomware binary across the network.
Scroll to view full table
Figure 4: Suite of tools used by Akira ransomware actors (Source: X-Force)
Unlike some ransomware families with worm behavior modules for propagation or replication without human interaction, Akira ransomware requires an active procedure to spread the infection within networks. Common options are the use of domain controller policies if the threat actor has reached this level of access or the use of features embedded in the Akira binary triggered by batch or bash scripts.
X-Force has observed Akira ransomware actors use batch scripts with the following pattern after completing reconnaissance activities:
“start akira_binary.exe -remote -n=3 -p=\\xx.xx.xx.xx\C$”
The Akira ransomware binary creates a text file located in the current directory where the execution took place.
IBM X-Force has analyzed both Windows and Linux binaries for Akira ransomware. The Linux and Windows versions of Akira function similarly with the main difference being the libraries used to support cryptographic operations. Akira appends .akira to the filename of encrypted files and drops a ransom note to each directory where files are encrypted. The ransom note contains a TOR link and a code that the victim can use to log on to a chat system to negotiate the ransom.
In one instance, the Akira ransomware file was compiled at the end of December 2023, particularly 2023-12-28 14:49:57 UTC, and developed in C++.
Figure 5: Date time stamp for Akira ransomware compilation—December 28, 2023 (Source: X-Force)
Upon execution, Akira Ransomware will create a log file in the current directory. The filename of the log file is based on the current local time of the system, in the following format: “Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt”. If an error occurs while encrypting a file, Akira will write an error message to the log file. Additional information regarding the program’s command line parameters is also written in the log file. Once the log file is created, Akira will begin parsing its command line arguments. The following command line arguments are accepted by the Windows version of Akira:
Scroll to view full table
Figure 6: Command line arguments used by Akira ransomware (Source: X-Force)
Once command line arguments are parsed, Akira will delete all shadow copies using the Powershell command: “powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject””. This command is executed using Component Object Model (COM) objects to prevent detection. Additionally, Akira may attempt to kill processes with the following names:
Scroll to view full table
Figure 7: Processes Akira ransomware attempts to kill (Source: X-Force)
Once these processes are killed, Akira will begin encryption. Files are encrypted using ChaCha20 or KCipher-2. Files larger than 2MB will be encrypted in blocks, while smaller files will be encrypted based on the encryption percentage provided in the command line arguments. By default, 50% of every file smaller than 2MB is encrypted. Each encrypted file is given a .akira extension. Akira will not encrypt files with any of the following extensions:
The Linux version of Akira uses the same list of directories and file extensions as the Windows version that it uses to filter targeted files even though they are found on Windows systems instead of Linux. Akira will not encrypt any files within the following folders:
Organizations can take several steps to harden defenses against Akira ransomware. While there is no guaranteed approach to prevent a ransomware attack—including from Akira threat actors—implementing these measures can make it harder for Akira attackers to employ their preferred techniques:
In addition to the above, X-Force recommends taking advantage of proactive and remedial actions provided by CISA in its April 18 report.
To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
Scroll to view full table